[PATCH] JDK-8036559: Attach API does not allow root to connect to process owned by others
Dmitry Samersoff
dmitry.samersoff at oracle.com
Thu Mar 17 08:58:20 UTC 2016
Elliott,
I'll take care of the CR.
But as soon as the changes have security implication we should carefully
evaluate possible side effects. So it takes some time.
-Dmitry
On 2016-03-17 00:27, Elliott Baron wrote:
> Hi,
>
> I've been working on an updated patch for JDK-8036559, where root does
> not have the ability to attach to unprivileged users' JVMs. I originally
> mentioned this problem back in 2013, and proposed a patch only for Linux
> [1]. The result was that the fix had to provide support for all affected
> platforms, and to include tests.
>
> We worked around this issue in our project, but I revisited this bug
> recently. I investigated the issue on Windows, which has a very
> different implementation from the other platforms. I discovered that
> this bug does not appear to affect Windows. Using the test programs
> attached to Red Hat Bugzilla bug #1311638 [2], I verified the correct
> behaviour using the following steps:
>> (Open cmd.exe)
>> runas /user:test cmd.exe
>> runas /user:Administrator cmd.exe
>>
>> (In test's shell)
>> set TMP=C:\Users\Public\java_temp
>> cd C:\Users\Public\Documents
>> javac AttachTarget.java
>> java AttachTarget
>>
>> (In Administrator's shell)
>> set TMP=C:\Users\Public\java_temp
>> cd C:\Users\Public\Documents
>> javac -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient.java
>> java -cp .;C:\Progra~1\Java\jdk1.8.0_74\lib\tools.jar AttachClient
>> (outputs 'Target ok: AttachTarget')
>
> My updated patches target JDK 9, and includes support for Linux,
> Solaris, Mac OSX, and AIX. As far as tests are concerned, I'm not sure
> how to add tests for this bug, since doing so would require the test to
> be run as root. I am attaching the patches to this email, since I am not
> an OpenJDK committer and do not have access to cr.openjdk.java.net.
>
> Thanks,
> Elliott
>
> [1]
> http://mail.openjdk.java.net/pipermail/serviceability-dev/2013-June/010077.html
>
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1311638
--
Dmitry Samersoff
Oracle Java development team, Saint Petersburg, Russia
* I would love to change the world, but they won't give me the sources.
More information about the serviceability-dev
mailing list